How to Establish Goals for an Ethical Hacking Plan - dummies

How to Establish Goals for an Ethical Hacking Plan

By Kevin Beaver

Your testing plan needs goals. The main goal of ethical hacking is to find vulnerabilities in your systems from the perspective of the bad guys so you can make your environment more secure. You can then take this a step further:

  • Define more specific goals. Align these goals with your business objectives. What are you and the management trying to get from this process? What performance criteria will you use to ensure you’re getting the most out of your testing?

  • Create a specific schedule with start and end dates as well as the times your testing is to take place. These dates and times are critical components of your overall plan.

Before you begin any testing, you absolutely, positively need everything in writing and approved. Document everything and involve management in this process. Your best ally in your testing efforts is a manager who supports what you’re doing.

The following questions can start the ball rolling when you define the goals for your ethical hacking plan:

  • Does your testing support the mission of the business and its IT and security departments?

  • What business goals are met by performing ethical hacking? These goals may include the following:

    • Working through Statement on Standards for Attestation Engagements (SSAE) 16 audits

    • Meeting federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS)

    • Meeting contractual requirements of clients or business partners

    • Maintaining the company’s image

    • Prepping for the internationally accepted security standard of ISO/IEC 27001:2013

  • How will this testing improve security, IT, and the business as a whole?

  • What information are you protecting? This could be personal health information, intellectual property, confidential client information, or employees’ private information.

  • How much money, time, and effort are you and your organization willing to spend on security assessments?

  • What specific deliverables will there be? Deliverables can include anything from high-level executive reports to detailed technical reports and write-ups on what you tested, along with the outcomes of your tests. You can deliver specific information that is gleaned during your testing, such as passwords and other confidential information.

  • What specific outcomes do you want? Desired outcomes include the justification for hiring or outsourcing security personnel, increasing your security budget, meeting compliance requirements, or enhancing security systems.

After you know your goals, document the steps to get there. For example, if one goal is to develop a competitive advantage to keep existing customers and attract new ones, determine the answers to these questions:

  • When will you start your testing?

  • Will your testing approach be blind, in which you know nothing about the systems you’re testing, or knowledge-based, in which you’re given specific information about the systems you’re testing, such as IP addresses, hostnames, and even usernames and passwords?

  • Will your testing be technical in nature, involve physical security assessments, or even use social engineering?

  • Will you be part of a larger ethical hacking team, sometimes called a tiger team or red team?

  • Will you notify the affected parties of what you’re doing and when you’re doing it? If so, how?

    Customer notification is a critical issue. Many customers appreciate that you’re taking steps to protect their information. Approach the testing in a positive way. Don’t say, “We’re breaking into our own systems to see what information is vulnerable to hackers,” even if that’s what you’re doing. Instead, say that you’re assessing the overall security of your network environment so the information will be as secure as possible.

  • How will you know whether customers even care about what you’re doing?

  • How will you notify customers that the organization is taking steps to enhance the security of their information?

  • What measurements can ensure that these efforts are paying off?

Establishing your goals takes time, but you won’t regret it. These goals are your road map. If you have any concerns, refer to these goals to make sure that you stay on track.